Q&A: You've got questions! We've got answers!
Physician Practice Insider, May 16, 2017
Submit your questions to Editor Karen Long Rayburn at klong@decisionhealth.com, and we will work with our experts to provide you with the information you need.
Q. Since our last risk analysis, we’ve added a patient portal. Do we need to include the patient portal in our risk analysis?
A. Yes, because it represents a potential threat to your patient’s protected health information (PHI). When you make any significant change to your IT infrastructure or make any major changes to your business or clinical practices, it’s recommended that you assess the risk before the change and after the change. If a risk analysis was conducted within a year of that change, there isn’t a reason to completely redo the risk analysis, though. A full risk analysis should be conducted annually, especially if you’re receiving Meaningful Use (MU) dollars.
When systems change, like adding a patient portal, it’s a good idea to assess what those changes mean as it relates to risk and mitigate identified risks before making the change. After the change is made, check to make sure the risks you identified and addressed were actually mitigated and that no new risks arise that could threaten your patient’s PHI. This should be included as a process in your risk management program. A risk management program is sound security practice and is a HIPAA and MU requirement.
Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Karen Long Rayburn at klong@decisionhealth.com.
Related Products
Most Popular
- Articles
-
- Math can be tricky: TJC corrects ABHR storage requirement
- Air control equals infection control
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Five ways to safeguard your patients' valuables
- The consequences of an incomplete medical record
- Q&A: Primary, principal, and secondary diagnoses
- OB services: Coding inside and outside of the package
- Skills of effective case managers
- Practice the six rights of medication administration
- E-mailed
-
- Air control equals infection control
- OSHA HazCom updates include labeling, SDS requirements
- Plan of Care Supports Documentation of Homebound Status
- Note similarities and differences between HCPCS, CPT® codes
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Neurological checks for head injuries
- Modifiers and medical necessity
- Follow these tips to properly report bladder catheter codes
- Five ways to safeguard your patients' valuables
- Differentiate between types of wound debridement
- Searched